Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 488
Alerts This Week
Warning Icon 1 488

Scientific Linux: SLSA-2015:1921-1 Critical: java-1.7.0-openjdk

Scientific Large Esm H446
Important: java-1.7.0-openjdk security update
Date: Wed, 21 Oct 2015 22:26:52 +0000
Reply-To: scientific-linux-users@
Sender: Security Errata for Scientific Linux
 
From: Pat Riehecky 
Subject: Security ERRATA Important: java-1.7.0-openjdk on SL5.x i386/x86_64
MIME-Version: 1.0
Message-ID: <20151021222652.7560.51@slpackages.fnal.gov>

Synopsis: Important: java-1.7.0-openjdk security update
Advisory ID: SLSA-2015:1921-1
Issue Date: 2015-10-21
CVE Numbers: CVE-2015-4806
 CVE-2015-4835
 CVE-2015-4881
 CVE-2015-4843
 CVE-2015-4883
 CVE-2015-4860
 CVE-2015-4805
 CVE-2015-4844
 CVE-2015-4840
 CVE-2015-4882
 CVE-2015-4842
 CVE-2015-4734
 CVE-2015-4903
 CVE-2015-4803
 CVE-2015-4893
 CVE-2015-4911
 CVE-2015-4872
--

Multiple flaws were discovered in the CORBA, Libraries, RMI,
Serialization, and 2D components in OpenJDK. An untrusted Java application
or applet could use these flaws to completely bypass Java sandbox
restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883,
CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)

Multiple denial of service flaws were found in the JAXP component in
OpenJDK. A specially crafted XML file could cause a Java application using
JAXP to consume an excessive amount of CPU and memory when parsed.
(CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)

It was discovered that the Security component in OpenJDK failed to
properly check if a certificate satisfied all defined constraints. In
certain cases, this could cause a Java application to accept an X.509
certificate which does not meet requirements of the defined policy.
(CVE-2015-4872)

Multiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI
components in OpenJDK. An untrusted Java application or applet could use
these flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806,
CVE-2015-4840, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)

All running instances of OpenJDK Java must be restarted for the update to
take effect.
--

SL5
 x86_64
 java-1.7.0-openjdk-1.7.0.91-2.6.2.1.el5_11.x86_64.rpm
 java-1.7.0-openjdk-debuginfo-1.7.0.91-2.6.2.1.el5_11.x86_64.rpm
 java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.1.el5_11.x86_64.rpm
 java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.1.el5_11.x86_64.rpm
 java-1.7.0-openjdk-javadoc-1.7.0.91-2.6.2.1.el5_11.x86_64.rpm
 java-1.7.0-openjdk-src-1.7.0.91-2.6.2.1.el5_11.x86_64.rpm
 i386
 java-1.7.0-openjdk-1.7.0.91-2.6.2.1.el5_11.i386.rpm
 java-1.7.0-openjdk-debuginfo-1.7.0.91-2.6.2.1.el5_11.i386.rpm
 java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.1.el5_11.i386.rpm
 java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.1.el5_11.i386.rpm
 java-1.7.0-openjdk-javadoc-1.7.0.91-2.6.2.1.el5_11.i386.rpm
 java-1.7.0-openjdk-src-1.7.0.91-2.6.2.1.el5_11.i386.rpm

- Scientific Linux Development Team